GitOps for Tailscale ACLs workflow runs but changes not reflected in Tailscale UI

I’ve set up the GitHub Workflow action to push ACLs to Tailscale. However, when I make changes to my policy file, the action appears to run successfully but I’m not seeing any updates in the Tailscale UI…

I pushed a first change to remove a comment but then, in case non-substantive changes were not reflected, made a change to a group name and membership too. Neither change has come across.

Hey @Campbell

I am experiencing the same. I haven’t had time to debug it fully, but I have the impression that an old version of the file in the repo is restored whenever the workflow is run.

I say this because if I do make a change in the UI and then make an update to the file in the github, I get the warning ‘file was changed externally’ in the workflow (which is correct) but then the file that is presented in the UI after the workflow ran is not the latest version.

Can you reproduce this?

Kind regards,

Hi @Lieven ,
Sorry - it’s taken a while to have time to test this again, but yes - I’m seeing the same behaviour. On every push to GitHub, the action successfully runs but the policy file in the Admin Console is reverting to the original one when it was very first pushed. I’m having to ‘edit anyway’ and manually paste in my new policy file to reflect the changes, so it’s not even an issue with the GUI showing an old version and a new one running ‘behind the scenes’ as new rules don’t function.

Hey @Campbell

thanks for the confirmation, this looks like an issue that @admins should mention to the Tailscale developers to fix.

Best regards,

So I was seemingly able to reproduce this on my personal tailnet. But in my case, I think the problem was that I already had the ACL editor open in the admin console, and reloading the page wasn’t showing the updated ACL that was pushed from gitops.

Can you try refetching the ACL from the API to confirm whether your changes were applied?

curl -u "tskey-api-KEY:"

If that works, try flushing any cached changes in your admin console window by make a change to the ACL, and then click “Discard changes”.

Just tested and, once the updated policy is pushed by GitOps back to Tailscale, the version that I can pull from the API is much older. It’s actually a version from two days ago and there have been 10 commits with changes since then, all of which I have had to manually paste into the ACL editor, having pushed from GitHub. So it’s not an issue with caching in the editor…

Can you email the output of a CI run along with the contents of a tailscale bugreport on any of your machines to My thought is that something is wrong with your ACL somehow that isn’t being picked up by other layers. This should not be happening.

I looked into the ACL formatting and realised that I did have a mix of the old and new syntax, however I’ve updated that now and checked by submitting in the editor too and it is accepted fine.
What does appear to have worked is clearing the cache in GitHub Actions. If I clear that before pushing a new version, then it successfully syncs over to Tailscale and is reflected quickly via the API and in the editor window. If I then try another push without clearing the cache, it doesn’t sync. Does that help isolate the issue?